Social Login (OAuth)
Note
Descope includes preconfigured OAuth applications for testing purposes, but these are limited to 100 total logins per month across all providers. Once you reach this limit, OAuth login will be disabled until the next month.
Therefore, for production use we recommend setting up your own OAuth accounts with custom branding and settings.
Social login (OAuth) allows users to sign in using their existing accounts from popular platforms such as Google, Facebook, or GitHub. Instead of creating new credentials, users simply click a provider button and authenticate through OAuth.
What is an OAuth Provider and Application?
An OAuth provider is a service that allows you to authenticate users using their existing accounts from popular platforms such as Google, Facebook, or GitHub.
An OAuth application is your app's registration directly with an OAuth provider like Google or Facebook. It includes details such as your app name, website URL, and branding assets.
Descope comes with built-in OAuth applications for all major providers. This means you can begin testing social login right away while Descope manages the OAuth login process in the background. When you're ready to customize or move to production, simply create your own OAuth applications with each provider and update their configurations in the Descope Console.
For guides on how to set up your own OAuth applications with Descope, see the Configuring OAuth Providers guide.
Social Login (OAuth) with Flows
This guide will walk you through integrating OAuth-based social login into your Descope Flows.
Flow Actions
When using OAuth Login, you have the standard actions for most authentication methods available.
- Sign Up / OAuth - Signs the user up, but will not work if user already exists
- Sign Up or In / OAuth - Signs the user in, and if user doesn't exist it will automatically sign them up
- Sign In / OAuth - Signs the user in, but if the user doesn't exist it will fail.
- Update User / OAuth - Will merge OAuth identity to an existing user
How to Use OAuth Actions
To learn more about Actions in general, you can refer to our guide on them.
Most of these actions are pretty simple, and you can drop them in your application like any other Action.
This is an example of using the Sign Up or In action in a flow:
Merge without a Common Identifier
When you select Merge without a common identifier in the Update User / OAuth flow action, it will allow you to merge the latest OAuth user identity with another user, even if that user doesn't possess the same email/phone number.
Prompt
All OAuth actions can include a Prompt parameter, that can alter the behavior of the OIDC provider when redirecting to it. The different values can be:
- Login - The login prompt forces the user to re-authenticate, regardless of whether they are already logged in or have an active session with the OAuth provider.
- Consent - The consent prompt forces the OAuth provider to re-display the consent screen, asking the user to agree to the requested permissions (scopes) again, even if they have already granted consent.
- Select Account - The select_account prompt forces the user to select which account they want to use if they have multiple accounts logged in with the OAuth provider.
- None - The none prompt forces the authentication to complete without showing any UI to the user.
Use a Default Provider
You can specify a specific Default or Custom provider to redirect to with any of the Descope OAuth flow actions. This can ensure that specific buttons in screens redirect to specific OAuth providers.
This is not needed if using the pre-generated OAuth provider buttons in the Screen editor, as these are automatically mapped to their corresponding provider internally to be used with actions.
Flow Screens
When using OAuth, you can use either the Default Provider buttons or normal buttons and connect them to the various OAuth actions mentioned above.
Error Handling
Error handling is handled like any other action. You can refer to our Flow Error Handling guide for more details.